Re: draft-ietf-dnsext-dnssec-gost

Andrew Sullivan <> Thu, 11 February 2010 21:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C4DB63A75B3 for <>; Thu, 11 Feb 2010 13:03:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.066
X-Spam-Status: No, score=-2.066 tagged_above=-999 required=5 tests=[AWL=0.533, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xSlpfBNqOWF6 for <>; Thu, 11 Feb 2010 13:03:22 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DEBAE3A6F19 for <>; Thu, 11 Feb 2010 13:03:21 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 9825A1ECB4E8; Thu, 11 Feb 2010 21:04:36 +0000 (UTC)
Date: Thu, 11 Feb 2010 16:04:34 -0500
From: Andrew Sullivan <>
To: Olafur Gudmundsson <>
Subject: Re: draft-ietf-dnsext-dnssec-gost
Message-ID: <>
References: <p06240806c799d87e7406@[]> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.18 (2008-05-17)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Feb 2010 21:03:22 -0000

On Thu, Feb 11, 2010 at 03:11:27PM -0500, Olafur Gudmundsson wrote:
> Who gets to decide on what algorithms get first class status and based  
> on what criteria?

Without wanting to put words in Olafur's mouth, it seems to me that a
couple details are needed as background to focus this debate.  

At the moment, the only way to add a new algorithm to DNSSEC is
standards action.  So in order to add GOST, we have to have a
standards-track document.

We also have the problem that DNS clients cannot negotiate their
algorithms with the other end of the communication.  Moreover, the
natural fallback -- use a "MAY" algorithm by preference, but include a
MUST algorithm so that everyone can verify your signatures -- will
increase the size of DNS responses.  Alternatively, one can use a
"MAY" algorithm only, but with the knowledge that a substantial number
of people might not be able to validate (so they'll treat the answer
as unsecured, and not get the benefit of DNSSEC).

So the question here is not what algorithms get "first class" status
in general, but whether we want to have different classes of support
for DNSSEC, given the current conditions.  

Thanks and best regards,


Andrew Sullivan
Shinkuro, Inc.